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Abstract 



We prove that the subset sum problem 



- ^SUB) 
X e {0,1}" ^ ' 

has a polynomial time computable certificate of infeasibility for all a with density at most 1/ (2n), 
and for almost all /3 integer right hand sides. The certificate is branching on a hypcrplane, i.e. 
by a methodology dual to the one explored by Lagarias and Odlyzko Frieze [3j; Furst and 
Kannan [4 ; and Coster et. al. in [T]. 

The proof has two ingredients. We first prove that a vector that is near parallel to a is a 
suitable branching direction, regardless of the density. Then we show that for a low density a 
such a near parallel vector can be computed using diophantine approximation, via a methodology 
introduced by Frank and Tardos in [2] . 

We also show that there is a small number of long intervals whose disjoint union covers the 
integer right hand sides, for which the infeasibility of ^SU Bl is proven by branching on the 
above hyperplane. 

Key words Subset sum problems, proof of infeasibility, almost all instances 



1 Introduction, and main results 



The subset sum problem <\SUB\) is one of the original NP-complete problems introduced by Karp 
[5]. A particular reason for its importance is its applicability in cryptography. With a being a 
public key, and x the message, one can transmit (3 = ax instead of x. An eavesdropper would need 
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to find X from the intercepted /?, and the pubhc a, i.e. solve ^SU B\i . while a legitimate receiver 
can use a suitable private key to decode the message. In cryptography applications, instances with 
low density are of interest, with the density of a € defined as 



d{a) 



n 



(1.1) 



log2 Ik 



oo 



A line of research started in the seminal paper of Lagarias and Odlyzko [6j, focused on solving 
such instances. In [6] the authors proved that the solution \SU B\ can be found for all but at most 
a fraction of 1/2" a vectors with d{a) < c/n, and assuming that the solution exists. Here c is a 
constant approximately equal to 4.8. Frieze in [3j gave a simplified algorithm to prove their result. 

From now on we will say that a statement is true for almost all elements of a set S, if it is true 
for all, but at most a fraction of 1/2" of them, with the value of n always clear from the context. 

Furst and Kannan in [1] pursued an approach that looked at both feasible, and infeasible 
instances. In [4J they showed that for some c > constant, if M > 2^^"^°^", then for almost 
all a € { 1, . . . , M }" and all (3 the problem \SU i3p has a polynomial size proof of feasibility or 
infeasibility. Their second result shows that for some d > constant, if M > 2*^"^, then for almost 
all o G { 1, . . . , M }" and all (5 the problem <\SUB\ can be solved in polynomial time. 

All the above proofs construct a candidate solution to ^SUB\ as a short vector in a certain 
lattice. Finding a vector whose length is off by a factor of at most 2'-"""'^^/^ from the shortest one 
is done utilizing the famed basis reduction method of Lenstra, Lenstra, and Lovasz [7]. 

Assuming the availability of a lattice oracle, which finds the shortest vector in a lattice, Lagarias 
and Odlyzko in [6] show a similar result under weaker assumption d{a) < 0.6463. The current best 
result on finding the solution of almost all solvable subset sum problems using a lattice oracle is by 
Coster et al [Tj: they require only d{a) < 0.9408. It is an open question to prove the infeasibility of 
almost all subset sum problems with density upper bounded by a constant, without assuming the 
availibility of an oracle. For more references, we refer to [1] and [8]. 

In this work we look at the structure of low density subset sum problems from a complementary, 
or dual viewpoint. With P a polyhedron and v an integral vector, it is clear that P has no integral 
point, if vx is nonintegral for all x € P. We will examine such proofs of infeasibility of ^SUB\i . Let 



where e denotes a column vector of all ones. We will say that for the right hand sides /3 in G{a, v) 
the infeasibility of l\SUB\\ is proven by branching on vx. The reason for this terminology is that 
letting P = {x\ax = P,0<x<e}, /3isin G{a, v) iff the maximum and the minimum of vx over 
P is between two consecutive integers. 

We shall write Z" , and Z"_,_, for the set of nonnegative, and positive integral n- vectors, respec- 
tively. We will throughout assume n > 10, and that the components of a are relatively prime. We 
only consider nontrivial right hand sides of ^SUB\i . i.e. right hand sides from { 0, 1, . . . , |[ a ||i }. 



Gia,v) 



{ /9 € Z I f X Z for all x with ax = (3, < x < e} 



(1.2) 
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Our first main result is: 

Theorem 1. Suppose d{a) < l/(2n). Then we can compute in polynomial time an integral vector 
V, such that for almost all right hand sides the infeasibility of liSU B\} is proven by branching on vx. 

Also, G{a, v) can be covered by the disjoint union of at most 2^"^ intervals, each of length at 
least 2". 

□ 

Note that Theorem [1] further narrows the range of hard instances from the work of Furst and 
Kannan in [4j. 

There are at most 2" right hand sides for which l\SUB\i is feasible, so most right hand sides 
lead to an infeasible instance, when d{a) is small. However, in principle, it may be difficult to prove 
the infeasibility of many infeasible instances. Fortunately, this is not the shown by the 

following corollary. 

Corollary 1. Let a and v be as in Theorem [Jl Then for almost all right hand sides for which 
liSU B\) is infeasible, its infeasibility is proven by branching on vx. 

□ 

There is an interesting duality and parallel between the results on low density subset sum in 
[6l m [1] and Theorem [TJ The proofs in [6l [H [1] work by constructing a candidate solution, while 
ours by branching, i.e. by a dual method. At the same time, they all rely on basis reduction. In our 
proof we find f by a method of Frank and Tardos in |2] , which uses the simultaneous diophantine 
approximation method of Lenstra, Lenstra, and Lovasz [7], which in turn, also uses basis reduction. 

Theorem [T] will follow from combining Theorems [2] and [3] below. Theorem [2] proves that a 
"large" fraction of righ hand sides in ^SUB\} have their infeasibility proven by branching on vx, if 
V is relatively short, and near parallel to a. Theorem [3] will show that such a v can be found using 
diophantine approximation, when d{a) < l/(2n). 

Theorem 2. Let w G A G M, r G M" with A > 1, ||r||i /A < 1, and 

a = Xv + r. 

Then the infeasibility of all, but at most a fraction of 

2(||r||i+l) 
A 

right hand sides is proven by branching on vx. 

In addition, G{a,v) can be covered by the disjoint union of at most \\ v \\i intervals, each of 
length at least A— Hj'IIi. 

3 



(1.3) 



□ 



Theorem 3. Suppose d{a) < l/(2n). Then we can compute in polynomial time v € A G Q, r G 
Q" with a = Xv + r, and 

(1) ||Hli<22-'; 

(2) II r 111 /A < l/2"+2; 

(3) A > 2'^+2. 



□ 

Remark 2. In this discussion we clarify what we mean by the v vector of Theorem [3] being near 
parahel to a. 

Given v,\, and r in Theorem [3l assume 

\v = Proj { a I hn {f }}, r = a — Xv. (1-4) 

Then 

||r|| ||r|| ||r|| 
sin(a, f) = - — - < — — - < ■ (1-5) 
||a|| ||At^|| ||A|| 

So a small upper bound on || r \\ /X will force sin(a, v) to be small as well, i.e. v to be near parallel 
to a. Some of the inequalities in (jl.Sp can be strict. For instance, letting a = {m?.,m? + 1), u = 
+ and defining A and r as in (jl.4p . it is easy to check that r/X (1/2, —1/2), as m — > oo, 
but obviously sin(a, v) 0. 



2 Proofs 



Proof of Theorem [2] Let us fix a and v. Since a and v are nonnegative, and e is a column vector 
of all ones, it holds that 

II a ||i= ae, and ||?; 111=^6, 
and we will use the latter notation for brevity. 

For a row- vector w, and an integer i we write 

max(w,l) = max\ wxlvx < i, < X < e}, 

\ , J I I - , - - J, ^2.6) 

min(w, £) = min { wx \ vx > £, < x < e}. 

The dependence on v, and on the sense of the constraint (i.e. <, or > ) is not shown by this 
notation; however, we always use vx < i with "max", and vx > i with "min", and v is fixed. 
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Claim 1. We have 



min(a, A;) < max{a,k) for k {0, . . . ,ve}, (2-7) 
max(a, A;) — min(a, A;) < \\r\\i for k £ {0, . . . ,ve}, and (2-8) 
mm(a, + 1) - max(a, A;) > - || r ||i +A > /or A; e {0, we - 1}. (2.9) 



Proof The feasible sets of the optimization problems defining min(a, A;), andmax(o,A;) contain 
{x \ vx = k, < X < e}, so ()2.7p follows. 

The decomposition of a shows that for all ii and £2 integers for which the expressions below are 
defined, 

max(a,£i) < max(r, £1) + A£i, and 

f 2 . 10 J 

min(a,£2) ^ min(r, ^2) + A^2) 

hold. Therefore 

min(a,£2) - max(o, ^1) > min(r, £2) - max(r, ^1) + A(^2 - ^1) (2 11) 

> - \\r\\i +\{£2-h)- 

follows, and (I2TTI1 with ^2 = ^1 = A: imphes ([23]), and with ^2 = A; + 1, £1 = A: yields 

Hence 

min(a, 0) < max(a, 0) < min(a, 1) < max(a, 1) < min(a, 2) < • • • < min(a, ve) < max(a, ve). 

(2.12) 

We will call the intervals 

[min(a, 0), max(a, 0)], . . . , [min(a, we), max(a, ve)] 

bad, and the intervals 

Go := (max(a, 0), min(a, 1)), . . . , G^e-i := (max(a, ve — 1), min(a, ve)) 

good. 

The nonnegativity of v and of a imply min(a, 0) = 0, and max(a, ve) = ae, so the bad, and 
good intervals partition [0, ae]: the pattern is bad, good, . . . , good, bad. Some of the bad intervals 
may have zero length, but by (12.90 none of the good ones do. 

Next we show that the good intervals contain exactly the right hand sides for which the infea- 
sibility of I\SU B\i is proven by branching on vx. 

Claim 2. 

G{a,v) = uZo^G^nZ. (2.13) 
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Proof By definition (3 £ G{a,v) iff for some i integer with < I < ve — 1, and for all x with 

< X < e, ax = P 

e<vx<e+l (2.14) 

holds. We show that for this i 

max{a,£) < (3 and (2.15) 

min(a,^ + l) > (5. (2.16) 

First, assume to the contrary that (j2.15p is false, i.e. there exists xi with 

axi > 13, vxi < < xi < e. (2.17) 
Since ^ > 0, denoting by X2 the all-zero vector, it holds that 

ax2 < P, VX2 <e,0<X2<e. (2.18) 

Looking at (j2.17p and (j2.18p it is clear that a convex combination of xi and X2, say x satisfies 

ax = p,vx<e,0<x<e, (2.19) 

which contradicts (j2.15p . Showing (I2.16P is analogous. 

End of proof of Claim [2] 

To summarize. Claim [2] implies that G{a,v) is covered by the disjoint union of ve intervals. By 
(j2.9p their length is lower bounded by A— ||r||i . 



Let us denote by b the number of integers in bad intervals, and by g the number of integers 
in good intervals, i.e. g = \G{a,v)\. Using (12. Sp and (12. 9p . and the fact that there are ve good 
intervals, and ve + 1 bad ones, we get 



g > ve{X- ||r 111 -1), 
b < (fe + l)(||r||i +1), 



(2.20) 



so 



g ^ ve A-(||r||i+l) ^^.21) 



b ve + 1 Ik 111 +1 
2 l|r||i+l 
2(||r||iTl) 



1 A- (||r||i +1) 
> ^' ' (2.22) 

O l| ^ II II 



and from here 



< ^—rr (2.24) 



g + b - l + g/b 



< &tl). (2^25) 
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follows. □ 
Proof of Theorem [3] 

We will use a methodology due to Frank and Tardos introduced in [2] . Here the authors employ 
simultaneous diophantine approximation to decompose a vector with large norm into the weighted 
sum of smaller norm vectors. We will only need one vector that approximates a, and the parameters 
will be somewhat differently chosen in the diophantine approximation. 

We will rely on the following result of Lenstra, Lenstra, and Lovasz from fl\ : 

Theorem 4. Given a positive integer N, and a € Q", we can compute in polynomial time v G 
Z", g G such that 

ll^a — I'lloo < —ana (2.26) 

q < 2''("+i)/'^A^". (2.27) 

□ 



We will use Theorem [J] with 



then set 



a 



A = r = a — Xv. 



Q 

We have the following estimates with ensuing explanation: 



kill < n ||?;||oo< < n2"("+^)/^A^", (2.28) 

I 111 nWrWoo n , , 

I Hi ^ II < (2.29) 



A - A - A^' 

Hall 22"^-"("+i)/4 
— 2"('^+i)/4A^" ~ A^'" ' y • ) 

Here ()2.28p follows from using (|2.26p . since || QOi |[oo — and v is integral. The second inec[uality in 
(j2.29jl is actually equivalent to ()2.26p : and (j2.30p comes from the definition of A, and (12.27p . Hence 
(1), (2), and (3) in Theorem [3] are satisfied when 



^2«(n+l)/4^n < , (2.31 

22n2-n(n+l)/4 



^ ^ (2-32) 



> 2"+2. (2.33) 



But ()2.3ip through (|2.33p are equivalent to 

i2"+2 < N < 22"-("+i)/4-i-2/n^ (2.34) 
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and such an integer exists, when n > 10. □ 

Proof of Corollary [1] Let /(a) be the set of right hand sides for which ^SUB\i is infeasible. 
Theorem [T] states 

]^ > 1 - -. (2.35) 

||a||i +1-2'^ ^ ^ 

Since /(a) C { 0, . . . , 1 1 a 1 1 1 } , Theorem [J imphes 

\G{a,v)\ 1 „ , 

' ' > 1 ; (2.36) 

I{a) - 2^^' ^ ^ 

and since G{a,v) C /(a), (|2.36p means the desired conclusion. □ 

Remark 3. One can use a different methodology to find a near parallel vector to a, which we 
quote from [9]: 

Theorem 5. Suppose d{a) < l/(n/2 + 1). Let U be a unimodular matrix such that the columns of 

U 



a 



are reduced in the sense of Lenstra, Lenstra, and Lovdsz, and v the last row of U ^. Define r and 
A to satisfy (Tip, and let f{a) = Tl^j ||af . 



Then 



(1) \\v\\ (1+ ||r||2)i/2 <||a|| f^a); 

(2) A > l//(a); 

(3) \\r\\ /A<2/(a). 



□ 



These bounds also suffice to prove the first part of Theorem [TJ however, the bound we get on 
II I'll involves ||a|| as well, not just the dimension. 

Acknowledgement Thanks are due to Ravi Kannan, and Laci Lovasz for helpful discussions; to 
Fritz Eisenbrand for discussions on the connection with diophantine approximation; and to Jeff 
Lagarias and Andrew Odlyzko for pointing out reference [1]. 
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